You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-ietf-oauth-status-list.md
+33Lines changed: 33 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -870,6 +870,38 @@ A Status List Token in the JWT format should follow the security considerations
870
870
871
871
A Status List Token in the CWT format should follow the security considerations of {{RFC8392}}.
872
872
873
+
## Key Resolution and Trust Management
874
+
875
+
This specification does not mandate specific methods for key resolution and trust management, however the following recommendations are made:
876
+
877
+
If the Issuer of the Referenced Token is the same entity as the Status Issuer, then the same key that is embedded into the Referenced Token may be used for the Status List Token. In this case the Status List Token may use:
878
+
- the same `x5c` value or an `x5t`, `x5t#S256` or `kid` parameter referencing to the same key as used in the Referenced Token for JOSE.
879
+
- the same `x5chain` value or an `x5t` or `kid` parameter referencing to the same key as used in the Referenced Token for COSE.
880
+
881
+
Alternatively, the Status Issuer may use the same web-based key resolution that is used for the Referenced Token. In this case the Status List Token may use:
882
+
- an `x5u`, `jwks`, `jwks_uri` or `kid` parameter referencing to the same key as used in the Referenced Token for JOSE.
883
+
- an `x5u` or `kid` parameter referencing to the same key as used in the Referenced Token for COSE.
884
+
885
+
If the Issuer of the Referenced Token is a different entity than the Status Issuer, then the keys used for the Status List Token may be cryptographically linked, e.g. by an Certificate Authority through an x.509 PKI. The certificate of the Issuer for the Referenced Token and the Status Issuer should be issued by the same Certificate Authority and the Status Issuer's certificate should utilize [extended key usage](#eku).
886
+
887
+
~~~ ascii-art
888
+
┌───────────────────────┐
889
+
│ Certificate Authority │
890
+
└─┬─────────────────────┘
891
+
│ authorize
892
+
│ ┌────────┐
893
+
├─►│ Issuer │
894
+
│ └─┬──────┘
895
+
│ ▼ update status
896
+
│ ┌───────────────┐
897
+
└─►│ Status Issuer │
898
+
└─┬─────────────┘
899
+
▼ provide Status List
900
+
┌─────────────────┐
901
+
│ Status Provider │
902
+
└─────────────────┘
903
+
~~~
904
+
873
905
## Status List Caching
874
906
875
907
When fetching a Status List Token, Relying Parties must carefully evaluate how long a Status List is cached for. Collectively the `iat`, `exp` and `ttl` claims when present in a Status List Token communicate how long a Status List should be cached and should be considered valid for. The following diagram illustrates the relationship between these claims and how they are designed to influence caching.
@@ -1318,6 +1350,7 @@ for their valuable contributions, discussions and feedback to this specification
1318
1350
1319
1351
-07
1320
1352
1353
+
* add recommendations for Key Resolution and Trust Management
1321
1354
* editorial changes on terminology and Referenced Tokens
1322
1355
* clarify privacy consideration around one time use reference tokens
0 commit comments